[lug] eth0: tx interrupt but no status
D. Stimits
stimits at idcomm.com
Tue Dec 11 09:24:53 MST 2001
Paul Bille wrote:
>
> > Haven't heard of anything on 3409. Run this to see what is listening
> there, if anything:
> > fuser -v -u -n tcp "3409" -n udp "3409"
>
> fuser doesn't report anything, either tcp or udp on 3409. I guess that's
> good.
>
> 3409 is a high port that users can write applications to listen on. It
> would be bad if a foreign application was listening on 3409.
Looks like port 3409 has nothing behind it to answer, and has nothing to
be vulnerable to. In the case of many root kits though, particular
programs or ports get hidden from the tools that would detect it.
>
> I don't know details of the BIND overflow scheme but I understand that
> blocks of memory get sent back to a server, essentially a memory dump across
> the net. They then scan the dump for the root password, come back and log
> on as root and mess up the system.
I don't know the particulars there either, but overflow attacks from
vulnerable programs that run as root or have access to other programs
which in turn do run as root are particularly nasty evils. BIND has a
history of problems, though it also has a history of fast fixes for each
one. Thus you have to update within hours of a posted update if you
really want your BIND-related ports to be world useable.
D. Stimits, stimits at idcomm.com
>
> Thanks,
> Paul
> http://bille.cudenver.edu/author
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG
mailing list